packages/grpc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:4c9296e6cf4c903673f9fcb584b1d3a18455890c
Branches Tags
packages:main
...
compare: packages:35b6b8ed265482d8b39d981640e9838c2007affb
Branches Tags
packages:main

10 Commits
4c9296e6cf ... 35b6b8ed26

Author SHA1 Message Date
openeuler-ci-bot
35b6b8ed26
!102 [sync] PR-98: remove cert expired at 20250512 
From: @openeuler-sync-bot 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai
 2024-06-24 01:31:34 +00:00
sherlock2010
b94360163c remove cert expired at 20250512 
(cherry picked from commit 190059f2705f4c057c2677170211c562843bddd3)
 2024-06-22 17:17:25 +08:00
openeuler-ci-bot
53105c970d
!85 [sync] PR-79: remove cert expired on 20230930 
From: @openeuler-sync-bot 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2023-11-16 14:07:27 +00:00
sherlock2010
efba02a793 remove cert expired on 20230930 
(cherry picked from commit ae9e98141d7f1e02fbf0cdd347f7cd52c5638f14)
 2023-11-16 17:30:03 +08:00
openeuler-ci-bot
ac6650ad07
!76 [sync] PR-74: fix CVE-2023-33953 
From: @openeuler-sync-bot 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2023-09-22 07:24:37 +00:00
sherlock2010
ceb354bfc1 fix CVE-2023-33953 
(cherry picked from commit c4fc11e98d81d5359ab69ac85afea02f763f8ced)
 2023-09-22 15:01:03 +08:00
openeuler-ci-bot
1e5498074d
!70 [sync] PR-69: fix CVE-2023-4785 
From: @openeuler-sync-bot 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2023-09-20 03:39:28 +00:00
sherlock2010
51f3c1ceeb fix CVE-2023-4785 
(cherry picked from commit 295749a40dc08df871670c4b430e504697eebe21)
 2023-09-20 11:08:28 +08:00
openeuler-ci-bot
794d09577a
!54 add some secure compilation options 
From: @sherlock2010 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
 2022-10-20 08:22:04 +00:00
zhouyihang
dc2dbd62cf add some secure compilation options 2022-10-20 08:01:08 +00:00
7 changed files with 433 additions and 8 deletions
Show Stats Expand all files Collapse all files

12
add-secure-compile-option-in-Makefile.patch
View File

@ -8,9 +8,9 @@ diff -urN grpc/CMakeLists.txt grpc_new/CMakeLists.txt
endif() endif()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_gRPC_C_CXX_FLAGS}") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_gRPC_C_CXX_FLAGS}")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${_gRPC_C_CXX_FLAGS}") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${_gRPC_C_CXX_FLAGS}")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,now -fPIE -fPIC") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,now -fstack-protector-strong") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2")
+set(_gRPC_ALLTARGETS_LIBRARYIES "${_gRPC_ALLTARGETS_LIBRARYIES} -Wl,-z,now -pie") +set(_gRPC_ALLTARGETS_LIBRARYIES "${_gRPC_ALLTARGETS_LIBRARYIES} -Wl,-z,relro -Wl,-z,now -pie")
if(gRPC_USE_PROTO_LITE) if(gRPC_USE_PROTO_LITE)
set(_gRPC_PROTOBUF_LIBRARY_NAME "libprotobuf-lite") set(_gRPC_PROTOBUF_LIBRARY_NAME "libprotobuf-lite")
@ -23,9 +23,9 @@ index 6ede6e34d2..d6190ecde4 100644
DEFINES += $(EXTRA_DEFINES) DEFINES += $(EXTRA_DEFINES)
LDLIBS += $(EXTRA_LDLIBS) LDLIBS += $(EXTRA_LDLIBS)
+CFLAGS += -Wl,-z,now -fPIE -fPIC +CFLAGS += -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2
+CPPFLAGS += -Wl,-z,now -fstack-protector-strong +CPPFLAGS += -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2
+LDFLAGS += -Wl,-z,now -pie +LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie
+ +
HOST_CPPFLAGS += $(CPPFLAGS) HOST_CPPFLAGS += $(CPPFLAGS)
HOST_CFLAGS += $(CFLAGS) HOST_CFLAGS += $(CFLAGS)

58
backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch Normal file
View File

@ -0,0 +1,58 @@
From 5850cba2957cc894477e735a74aa6c246b499ff4 Mon Sep 17 00:00:00 2001
From: Yash Tibrewal <yashkt@google.com>
Date: Mon, 11 Apr 2022 15:49:18 -0700
Subject: [PATCH] Ignore Connection Aborted errors on accept (#29318)
* Ignore Connection Aborted errors on accept
* Reviewer comments
---
src/core/lib/iomgr/tcp_server_posix.cc | 32 +++++++++++++-------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
index c40ddbf646..f02bb8396a 100644
--- a/src/core/lib/iomgr/tcp_server_posix.cc
+++ b/src/core/lib/iomgr/tcp_server_posix.cc
@@ -204,22 +204,22 @@ static void on_read(void* arg, grpc_error_handle err) {
strip off the ::ffff:0.0.0.0/96 prefix first. */
int fd = grpc_accept4(sp->fd, &addr, 1, 1);
if (fd < 0) {
- switch (errno) {
- case EINTR:
- continue;
- case EAGAIN:
- grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
- return;
- default:
- gpr_mu_lock(&sp->server->mu);
- if (!sp->server->shutdown_listeners) {
- gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
- } else {
- /* if we have shutdown listeners, accept4 could fail, and we
- needn't notify users */
- }
- gpr_mu_unlock(&sp->server->mu);
- goto error;
+ if (errno == EINTR) {
+ continue;
+ } else if (errno == EAGAIN || errno == ECONNABORTED ||
+ errno == EWOULDBLOCK) {
+ grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+ return;
+ } else {
+ gpr_mu_lock(&sp->server->mu);
+ if (!sp->server->shutdown_listeners) {
+ gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+ } else {
+ /* if we have shutdown listeners, accept4 could fail, and we
+ needn't notify users */
+ }
+ gpr_mu_unlock(&sp->server->mu);
+ goto error;
}
}
--
2.33.0

192
backport-iomgr-EventEngine-Improve-server-handling-o.patch Normal file
View File

@ -0,0 +1,192 @@
From 1e86ca5834b94cae7d5e6d219056c0fc895cf95d Mon Sep 17 00:00:00 2001
From: AJ Heller <hork@google.com>
Date: Wed, 12 Jul 2023 18:42:09 -0700
Subject: [PATCH] [backport][iomgr][EventEngine] Improve server handling of
file descriptor exhaustion (#33672)
Backport of #33656
---
src/core/lib/iomgr/tcp_server_posix.cc | 46 ++++++++++++++-----
src/core/lib/iomgr/tcp_server_utils_posix.h | 13 +++++
.../iomgr/tcp_server_utils_posix_common.cc | 21 ++++++++
3 files changed, 67 insertions(+), 13 deletions(-)
diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
index a1db16d916..6804928fe3 100644
--- a/src/core/lib/iomgr/tcp_server_posix.cc
+++ b/src/core/lib/iomgr/tcp_server_posix.cc
@@ -16,13 +16,17 @@
*
*/
+#include <grpc/support/port_platform.h>
+
+#include <utility>
+
+#include <grpc/support/atm.h>
+
/* FIXME: "posix" files shouldn't be depending on _GNU_SOURCE */
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
-#include <grpc/support/port_platform.h>
-
#include "src/core/lib/iomgr/port.h"
#ifdef GRPC_POSIX_SOCKET_TCP_SERVER
@@ -45,6 +49,7 @@
#include "absl/strings/str_cat.h"
#include "absl/strings/str_format.h"
+#include <grpc/event_engine/event_engine.h>
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
#include <grpc/support/sync.h>
@@ -350,21 +357,35 @@ static void on_read(void* arg, grpc_error_handle err) {
if (fd < 0) {
if (errno == EINTR) {
continue;
- } else if (errno == EAGAIN || errno == ECONNABORTED ||
- errno == EWOULDBLOCK) {
+ }
+ // When the process runs out of fds, accept4() returns EMFILE. When this
+ // happens, the connection is left in the accept queue until either a
+ // read event triggers the on_read callback, or time has passed and the
+ // accept should be re-tried regardless. This callback is not cancelled,
+ // so a spurious wakeup may occur even when there's nothing to accept.
+ // This is not a performant code path, but if an fd limit has been
+ // reached, the system is likely in an unhappy state regardless.
+ if (errno == EMFILE) {
+ grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+ if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return;
+ grpc_timer_init(&sp->retry_timer,
+ grpc_core::ExecCtx::Get()->Now() + 1 * GPR_MS_PER_SEC,
+ &sp->retry_closure);
+ return;
+ }
+ if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) {
grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
return;
+ }
+ gpr_mu_lock(&sp->server->mu);
+ if (!sp->server->shutdown_listeners) {
+ gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
} else {
- gpr_mu_lock(&sp->server->mu);
- if (!sp->server->shutdown_listeners) {
- gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
- } else {
- /* if we have shutdown listeners, accept4 could fail, and we
- needn't notify users */
- }
- gpr_mu_unlock(&sp->server->mu);
- goto error;
+ // if we have shutdown listeners, accept4 could fail, and we
+ // needn't notify users
}
+ gpr_mu_unlock(&sp->server->mu);
+ goto error;
}
/* For UNIX sockets, the accept call might not fill up the member sun_path
@@ -558,6 +581,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener,
sp->port_index = listener->port_index;
sp->fd_index = listener->fd_index + count - i;
GPR_ASSERT(sp->emfd);
+ grpc_tcp_server_listener_initialize_retry_timer(sp);
while (listener->server->tail->next != nullptr) {
listener->server->tail = listener->server->tail->next;
}
@@ -791,6 +815,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) {
if (s->active_ports) {
grpc_tcp_listener* sp;
for (sp = s->head; sp; sp = sp->next) {
+ grpc_timer_cancel(&sp->retry_timer);
grpc_fd_shutdown(sp->emfd,
GRPC_ERROR_CREATE_FROM_STATIC_STRING("Server shutdown"));
}
diff --git a/src/core/lib/iomgr/tcp_server_utils_posix.h b/src/core/lib/iomgr/tcp_server_utils_posix.h
index 26cef0209f..de5a888cff 100644
--- a/src/core/lib/iomgr/tcp_server_utils_posix.h
+++ b/src/core/lib/iomgr/tcp_server_utils_posix.h
@@ -30,6 +30,7 @@
#include "src/core/lib/iomgr/resolve_address.h"
#include "src/core/lib/iomgr/socket_utils_posix.h"
#include "src/core/lib/iomgr/tcp_server.h"
+#include "src/core/lib/iomgr/timer.h"
/* one listening port */
typedef struct grpc_tcp_listener {
@@ -52,6 +53,11 @@ typedef struct grpc_tcp_listener {
identified while iterating through 'next'. */
struct grpc_tcp_listener* sibling;
int is_sibling;
+ // If an accept4() call fails, a timer is started to drain the accept queue in
+ // case no further connection attempts reach the gRPC server.
+ grpc_closure retry_closure;
+ grpc_timer retry_timer;
+ gpr_atm retry_timer_armed;
} grpc_tcp_listener;
/* the overall server */
@@ -139,4 +145,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket(
/* Ruturn true if the platform supports ifaddrs */
bool grpc_tcp_server_have_ifaddrs(void);
+// Initialize (but don't start) the timer and callback to retry accept4() on a
+// listening socket after file descriptors have been exhausted. This must be
+// called when creating a new listener.
+void grpc_tcp_server_listener_initialize_retry_timer(
+ grpc_tcp_listener* listener);
+
#endif /* GRPC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H */
diff --git a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
index 574fd02d0d..a32f542c4a 100644
--- a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
+++ b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
@@ -18,6 +18,8 @@
#include <grpc/support/port_platform.h>
+#include <grpc/support/atm.h>
+
#include "src/core/lib/iomgr/port.h"
#ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON
@@ -81,6 +83,24 @@ static int get_max_accept_queue_size(void) {
return s_max_accept_queue_size;
}
+static void listener_retry_timer_cb(void* arg, grpc_error_handle err) {
+ // Do nothing if cancelled.
+ if (err != GRPC_ERROR_NONE) return;
+ grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg);
+ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+ if (!grpc_fd_is_shutdown(listener->emfd)) {
+ grpc_fd_set_readable(listener->emfd);
+ }
+}
+
+void grpc_tcp_server_listener_initialize_retry_timer(
+ grpc_tcp_listener* listener) {
+ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+ grpc_timer_init_unset(&listener->retry_timer);
+ GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener,
+ grpc_schedule_on_exec_ctx);
+}
+
static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
const grpc_resolved_address* addr,
unsigned port_index,
@@ -112,6 +132,7 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
sp->server = s;
sp->fd = fd;
sp->emfd = grpc_fd_create(fd, name.c_str(), true);
+ grpc_tcp_server_listener_initialize_retry_timer(sp);
memcpy(&sp->addr, addr, sizeof(grpc_resolved_address));
sp->port = port;
sp->port_index = port_index;
--
2.33.0

37
fix-CVE-2023-33953-add-header-limit.patch Normal file
View File

@ -0,0 +1,37 @@
From 5fe782778f535ae68508fb7979df1cbfbdf4d6de Mon Sep 17 00:00:00 2001
From: sunsuwan <sunsuwan3@huawei.com>
Date: Mon, 4 Sep 2023 21:45:49 +0800
Subject: [PATCH] CVE-2023-33953 add header limit
Signed-off-by: zhouyihang <zhouyihang3@h-partners.com>
Signed-off-by: sunsuwan <sunsuwan3@huawei.com>
---
.../ext/transport/chttp2/transport/hpack_parser.cc | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
index 09681fa..6b191a7 100644
--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
@@ -1372,6 +1372,18 @@ grpc_error_handle grpc_chttp2_header_parser_parse(void* hpack_parser,
auto* parser = static_cast<grpc_core::HPackParser*>(hpack_parser);
if (s != nullptr) {
s->stats.incoming.header_bytes += GRPC_SLICE_LENGTH(slice);
+ if (s->stats.incoming.header_bytes > t->settings[GRPC_ACKED_SETTINGS]
+ [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE]) {
+ grpc_chttp2_cancel_stream(
+ t, s,
+ grpc_error_set_int(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "received header size exceeds limit"),
+ GRPC_ERROR_INT_GRPC_STATUS,
+ GRPC_STATUS_RESOURCE_EXHAUSTED));
+ grpc_chttp2_parsing_become_skip_parser(t);
+ s->seen_error = true;
+ return GRPC_ERROR_NONE;
+ }
}
grpc_error_handle error = parser->Parse(slice, is_last != 0);
if (error != GRPC_ERROR_NONE) {
--
2.33.0

40
grpc.spec
View File

@ -3,7 +3,7 @@
Name: grpc Name: grpc
Version: 1.41.1 Version: 1.41.1
Release: 3 Release: 8
Summary: A modern, open source high performance RPC framework that can run in any environment Summary: A modern, open source high performance RPC framework that can run in any environment
License: ASL 2.0 License: ASL 2.0
URL: https://www.grpc.io URL: https://www.grpc.io
@ -12,6 +12,11 @@ Source0: https://github.com/grpc/grpc/archive/v%{version}/%{name}-%{versio
Patch0006: repair-pkgconfig-path.patch Patch0006: repair-pkgconfig-path.patch
Patch0007: add-secure-compile-option-in-Makefile.patch Patch0007: add-secure-compile-option-in-Makefile.patch
Patch0010: backport-grpc-1.41.1-python-grpcio-use-system-abseil.patch Patch0010: backport-grpc-1.41.1-python-grpcio-use-system-abseil.patch
Patch0011: backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch
Patch0012: backport-iomgr-EventEngine-Improve-server-handling-o.patch
Patch0013: fix-CVE-2023-33953-add-header-limit.patch
Patch0014: remove-cert-expired-on-20230930.patch
Patch0015: remove-cert-expired-at-20250512.patch
BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler
BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel
@ -76,7 +81,8 @@ cmake ../../ -DgRPC_INSTALL=ON\
-DgRPC_INSTALL_SHAREDIR=%{buildroot}%{_datadir}/%{name} \ -DgRPC_INSTALL_SHAREDIR=%{buildroot}%{_datadir}/%{name} \
-DgRPC_INSTALL_PKGCONFIGDIR=%{buildroot}%{_libdir}/pkgconfig \ -DgRPC_INSTALL_PKGCONFIGDIR=%{buildroot}%{_libdir}/pkgconfig \
-DCMAKE_INSTALL_PREFIX=%{_prefix} \ -DCMAKE_INSTALL_PREFIX=%{_prefix} \
-DBUILD_SHARED_LIBS=ON -DBUILD_SHARED_LIBS=ON \
-DCMAKE_VERBOSE_MAKEFILE=ON
make -j24 V=1 make -j24 V=1
# build python module # build python module
@ -137,6 +143,36 @@ cd ../..
%{python3_sitearch}/grpcio-%{version}-py?.?.egg-info %{python3_sitearch}/grpcio-%{version}-py?.?.egg-info
%changelog %changelog
* Fri Jun 21 2024 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-8
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:remove cert expired at 20250512
* Wed Nov 15 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-7
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:remove cert expired on 20230930
* Fri Sep 22 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-6
- Type:CVE
- ID:CVE-2023-33953
- SUG:NA
- DESC:fix CVE-2023-33953
* Wed Sep 20 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-5
- Type:CVE
- ID:CVE-2023-4785
- SUG:NA
- DESC:fix CVE-2023-4785
* Thu Oct 20 2022 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add some secure compilation options
* Sat Apr 16 2022 xingwei<xingwei14@h-partners.com> - 1.41.1-3 * Sat Apr 16 2022 xingwei<xingwei14@h-partners.com> - 1.41.1-3
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA

51
remove-cert-expired-at-20250512.patch Normal file
View File

@ -0,0 +1,51 @@
From 15327a17f80de1251e84d38dda045bbfd7061125 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Tue, 28 May 2024 20:59:35 +0800
Subject: [PATCH] huawei-remove-cert-expired-at-20250512
---
etc/roots.pem | 29 -----------------------------
1 file changed, 29 deletions(-)
diff --git a/etc/roots.pem b/etc/roots.pem
index c599727..d84a8f5 100644
--- a/etc/roots.pem
+++ b/etc/roots.pem
@@ -64,35 +64,6 @@ bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Label: "Baltimore CyberTrust Root"
-# Serial: 33554617
-# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
-# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
-# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
------END CERTIFICATE-----
-
# Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
# Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
# Label: "Entrust Root Certification Authority"
--
2.33.0

51
remove-cert-expired-on-20230930.patch Normal file
View File

@ -0,0 +1,51 @@
From 924b52b761bb3fae1f9a316e6a7989f3d3be8687 Mon Sep 17 00:00:00 2001
From: sunsuwan <sunsuwan3@huawei.com>
Date: Tue, 8 Aug 2023 15:27:04 +0800
Subject: [PATCH] remove cert expired on 20230930
---
etc/roots.pem | 28 ----------------------------
1 file changed, 28 deletions(-)
diff --git a/etc/roots.pem b/etc/roots.pem
index bd5911a..c599727 100644
--- a/etc/roots.pem
+++ b/etc/roots.pem
@@ -248,34 +248,6 @@ mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK
4SVhM7JZG+Ju1zdXtg2pEto=
-----END CERTIFICATE-----
-# Issuer: O=SECOM Trust.net OU=Security Communication RootCA1
-# Subject: O=SECOM Trust.net OU=Security Communication RootCA1
-# Label: "Security Communication Root CA"
-# Serial: 0
-# MD5 Fingerprint: f1:bc:63:6a:54:e0:b5:27:f5:cd:e7:1a:e3:4d:6e:4a
-# SHA1 Fingerprint: 36:b1:2b:49:f9:81:9e:d7:4c:9e:bc:38:0f:c6:56:8f:5d:ac:b2:f7
-# SHA256 Fingerprint: e7:5e:72:ed:9f:56:0e:ec:6e:b4:80:00:73:a4:3f:c3:ad:19:19:5a:39:22:82:01:78:95:97:4a:99:02:6b:6c
------BEGIN CERTIFICATE-----
-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY
-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t
-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5
-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD
-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8
-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ
-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9
-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N
-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ
-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G
-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG
-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr
-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5
-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU
-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
------END CERTIFICATE-----
-
# Issuer: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
# Subject: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
# Label: "XRamp Global CA Root"
--
2.33.0